Analysis of Endpoint Logs with Splunk for Detection of Malicious Activity

In this article Dimitris Margaritis talks about how to detect malicious activity via analysis of Endpoint Logs with Splunk.

1. Introduction

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time [1].

Sysmon log contains information which can be analyzed to detect modern attacks that bypass traditional detection tools. Mark Russinovich did a presentation at RSA 2016 about sysmon, its EventIDs and explained how sysmon can be used to detect malware. [2]

Sysmon Events should be sent to Log Management System e.g Spunk, Elastic Search for analysis and there are few ways to do it e.g build-in WEF capability of Windows or an agent on endpoint like Splunk Universal Forwarder [3,4].

The main challenges in centralizing and analyzing sysmon logs are the management of the volume and the filtering of the noise. This is very important for big networks (>10.000 hosts) especially when the licensing of the log management system is based on indexed volume like in Splunk.

Sysmon logs are a part of endpoints logs that must be analyzed and other sources include specific events from the security log, EMET log and PowerShell version 5 logs. It should be noted that how Sysmon data can be used and what detection rules can be developed depends on other security tools and policies that exist on a given network e.g A correlation rule can be developed to alert for malicious attachments that entered a network and an alarm raised by a network IDS without further information if finally at the endpoint the attachment was opened or not. A malicious attachment can be blocked by AV on Email gateway or  on email server or on  the endpoint or by user awareness.Full command line of Acrobat and Office executables in sysmon EventID 1 can be used to see if a malicious attachment was finally opened.

[su_button url=”http://securitylogsanalysis.blogspot.ru/2016/04/analysis-of-endpoint-logs-with-splunk.html” target=”blank” style=”flat” background=”#222348″ size=”7″ radius=”0″]Read more[/su_button]